Currently viewing the tag: "reverse proxy"

WordPress – X-Forwarded-For header

By On · 2 Comments

For those that have not figured it out WordPress is the content management system for this site. I am using a plugin called StatPress. A “visitor” in the lingo of StatPress is not cookie based (which one could argue it should be, since so many places use web proxies for their clients, myself included) but is based on the client’s IP address. In my network the web server(s) are front-ended by a proxy server (so yeah I use proxies for my clients and my servers). I checked out WordPress ticket 4602 but apparently this has not made it into the code base yet.  I am an outsider with respect to WordPress development and plugin writing, but I think the plugins should be asking the core for things like client IP, etc..  This means one place to maintain, sanitize this information.

Anyways the code below is what I cobbled together into statpress.php file so that the “real” IP address of the client is seen by Statpress and thus my statistics are slightly more accurate. :) 

--- statpress.php       Wed Nov 12 04:30:35 2008
+++ statpress.php.new   Wed Nov 12 04:41:29 2008
@@ -1131,7 +1131,23 @@
        $vtime  = gmdate("H:i:s",$timestamp);

        // IP
-    $ipAddress = $_SERVER['REMOTE_ADDR'];
+
+        if ($_SERVER['HTTP_X_FORWARDED_FOR'] != "" ) {
+            $ipAddress = $_SERVER["HTTP_X_FORWARDED_FOR"];
+                if (strpos($ipAddress, ',') !== false) {
+                    $ipAddress = explode(',', $ipAddress);
+                    $ipAddress = $ipAddress[0];
+                }
+
+        } else {
+            $ipAddress = $_SERVER['REMOTE_ADDR'];
+        }
+
+
+
+
+
+
     if(iriCheckBanIP($ipAddress) == '') { return ''; }

        // URL (requested)
@@ -1320,8 +1336,20 @@
                $body = str_replace("%browser%", $browser, $body);
        }
        if(strpos(strtolower($body),"%ip%") !== FALSE) {
-           $ipAddress = $_SERVER['REMOTE_ADDR'];
-               $body = str_replace("%ip%", $ipAddress, $body);
+
+        if ($_SERVER['HTTP_X_FORWARDED_FOR'] != "" ) {
+            $ipAddress = $_SERVER["HTTP_X_FORWARDED_FOR"];
+                if (strpos($ipAddress, ',') !== false) {
+                    $ipAddress = explode(',', $ipAddress);
+                    $ipAddress = $ipAddress[0];
+                }
+
+        } else {
+            $ipAddress = $_SERVER['REMOTE_ADDR'];
+        }
+
+
+       $body = str_replace("%ip%", $ipAddress, $body);
        }
        if(strpos(strtolower($body),"%visitorsonline%") !== FALSE) {
                $to_time = current_time('timestamp');
If you find this helpful, please leave me a comment.  If anyone understands Italian and wants to send this over to the author of the plugin, please do and let me know.  I also need to now go hack the comments code so it does the same thing.  Of course then also package up both of these modifications so I can incorporate them in my future wordpress installs.